b'                                                                         Appendix I\n\n\n\n\nReview of SEC Contracts for\nInclusion of Language Addressing\nPrivacy Act Requirements\n\n\n\n\n                                                                            July 18, 2011\n                                                                            Report No. 496\nReview Conducted by C5i Federal, Inc.\n\n  Review of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\n  Report No. 496\n                                            Page 1\n\x0c                                                UNITED STATES\n                              SECURITIES AND EXCHANGE COMM I SS I ON\n                                          WASH I NGTON , D.C .   20S49\n\n\n0 .. .. \'<: 11 0 ..\n\n\n\n\n                                      MEMORANDUM\n                                                 July 18, 2011\n\n\n              To:           Jayne L. Seidman , Acting Associate Chief Operating Officer, Office\n                             of Administrative Services (OAS)\n\n                            Thomas Bayer, Chief Information Officer, Office of Information\n                             Technology (OIT)\n\n              From:         H. David Kotz , Inspector General, Office of Inspector Genera 0&7~\n\n              Subject:      Review of SEC Contracts for Inclusion of Language Addressing\n                            Privacy Act Requirements, Report No. 496\n\n              This memorandum transmits the U.S. Securities and Exchange Commission\'s\n              Office of Inspector General\'s (DIG \'s) final report on the DIG \'s review of SEC\n              contracts for inclusion of language that addresses privacy act requirements. The\n              report contains two recommendations which if implemented should strengthen\n              OAS \'s contract oversight. We are pleased your offices concurred with both\n              recommendations. Your written response to the draft report is included in\n              Appendix IV.\n\n              Within the next 45 days, please provide the O IG with a written corrective action\n              plan that is designed to address the agreed upon recommendations. The\n              corrective action plan should include information such as the responsible\n              official/point of contact, timeframes for completing the required actions, and\n              milestones identifying how you will address the recommendations cited in this\n              report.\n\n\n\n\n        Review of SEC Contracts for Inclusion of Language Addressing Privacy              July 18, 2011\n        Report No. 496\n                                                     Page ii\n\x0cShould you have any questions regarding the report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nprovided our contractors and staff during this review.\n\n\nAttachment\n\ncc:    James R. Burns, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Elisse B. Walter, Commissioner\n       Kathleen L. Casey, Commissioner\n       Jeff Heslop, Chief Operating Officer, Executive Director, Office of Chief\n        of Operations\n       Todd Scharf, Chief Information Security Officer, Office of Information\n        Technology\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy    July 18, 2011\nReport No. 496\n                                          Page iii\n\x0cReview of SEC Contracts for Inclusion of\nLanguage Addressing Privacy Act\nRequirements\nBackground\nIn August 2010, the U.S. Securities and Exchange Commission (SEC or\nCommission), Office of Inspector General (OIG), contracted with C5i Federal,\nInc. (C5i), for assistance in completing and coordinating the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-10-15, fiscal year (FY) 2010 Reporting Instructions for the\nFederal Information Security Management Act (FISMA) and agency privacy\nmanagement, 1 and to perform two additional FISMA-related reviews. One of\nthese additional reviews addresses the SEC\xe2\x80\x99s Continuous Monitoring Program. 2\nThis report presents the results of the other review, which addresses whether\nSEC contracts contain appropriate language addressing Privacy Act\nrequirements, including provisions for protecting SEC personaIIy identifiable\ninformation (PII). 3\n\nSubsection (m)(1) of the Privacy Act of 1974 provides that when an agency\ncontracts for the operation of a system of records to accomplish an agency\nfunction, the agency must include in the terms of the contract provisions making\nthe contractor responsible for complying with the Privacy Act. It also makes\nthese contractors liable under the criminal provisions of the Act. 4 SEC\nAdministrative Regulation 24-08 (SECR 24-08) establishes policy for the\nCommission\xe2\x80\x99s privacy program, including the protection of PII that is collected by\nthe SEC. SECR 24-08 applies not only to SEC employees, but also to\ncontractors and others working on behalf of the SEC who handle, control, or\nhave access to information, documents, or systems that contain PII. 5\n\nIn conducting this assessment, C5i reviewed a judgment sample consisting of 11\nSEC contracts that included language requiring the contractors to handle SEC\nPII. C5i also reviewed the results of the SEC\xe2\x80\x99s FY 2010 Section (m) Contracts\nCompliance Review memorandum, which contains the results of the SEC Privacy\n\n\n1\n  OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\n2\n  OIG, Assessment of the SEC\xe2\x80\x99s Continuous Monitoring Program, Report No. 497 to be issued in late July\n2011.\n3\n  In August 2010, the SEC\xe2\x80\x99s Ethics and Compliance Employee Hotline received a call expressing concern\nover the handling of PII by third-party vendors during the disgorgement process. This assessment does not\nspecifically describe the assessment of the handling of PII by third-party vendors engaged to administer\ndisgorgements because: (1) the complaint was not found to be substantiated and (2) most disgorgements\nare administered by court-appointed third-party vendors who are not under contract with the SEC.\n4\n  5 U.S.C. \xc2\xa7 552a(m)(1).\n5\n  SECR 24-08, Management and Protection of Privacy Act Records and Other Personally Identifiable\nInformation (Apr. 14, 2010), p. 1.\nReview of SEC Contracts for Inclusion of Language Addressing Privacy                       July 18, 2011\nReport No. 496\n                                                Page 1\n\x0cOffice\xe2\x80\x99s review of eight randomly selected SEC contracts for compliance with\nPrivacy Act requirements.\n\n\nObjective\nThe objective of this review was to determine whether the Securities and\nExchange Commission\xe2\x80\x99s contracts contain appropriate language addressing\nPrivacy Act requirements.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                          Page 2\n\x0cFinding 1: OAS\xe2\x80\x99s Contracts Contain Appropriate\nLanguage Addressing Privacy Act Requirements\nC5i reviewed a judgment sample consisting of 11 SEC contracts that included\nlanguage requiring vendors to handle SEC PII. The sample contained employee\nrecruitment, financial systems management, and information technology\ncontracts. C5i found that each of the contracts in the sample contained the\nappropriate sections addressing such requirements as nondisclosure\nagreements, system security, and PII protection.\n\nC5i also reviewed the results of the SEC\xe2\x80\x99s FY 2010 Section (m) Contracts\nCompliance Review memorandum, dated November 3, 2010, which details the\nresults of the SEC Privacy Office\xe2\x80\x99s review of eight randomly selected SEC\ncontracts for compliance with Privacy Act requirements. The review concluded\nthat all sampled contracts included language binding vendors to the requirements\nof the Privacy Act. C5i examined 6 additional contracts to verify that they\ncontained the appropriate provisions required by the Privacy Act for\nnondisclosure agreements, background investigations of personnel, PII handling,\nand security of systems. C5i found that the contracts did include such provisions\nand therefore concurs with the conclusions of the FY 2010 Section (m) Contracts\nCompliance Review Memorandum.\n\nAlthough C5i\xe2\x80\x99s assessment found that the SEC\xe2\x80\x99s contracts contain language\nrequiring that vendors and their employees comply with the Privacy Act,\nstrengthening the language in SEC contracts that pertains to privacy and\ninformation might help to ensure vendors\xe2\x80\x99 compliance with those provisions. For\nexample, new contracts could include provisions requiring vendors to provide\ncopies of their privacy policies, privacy impact assessments, and evidence that\ntheir systems have been certified and accredited consistent with industry best\npractices. New contracts and interconnectivity agreements could also include\nprovisions requiring that security requirements defined by the Office of\nInformation Technology (OIT) are achieved for PII data transmitted over public\nnetworks or stored on portable medial. Including such provisions could further\nreduce the risk that PII will be mishandled.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                          Page 3\n\x0c       Recommendation 1:\n\n       The Office of Administrative Services should add language provided by\n       the Office of Information Technology to new service contracts that require\n       the handling of PII data stating that the U.S. Securities and Exchange\n       Commission requires the contractor to provide copies of the contractor\xe2\x80\x99s\n       privacy policies and privacy impact assessments.\n\n       Management Comments. OAS and OIT concurred with this\n       recommendation. See Appendix IV for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OAS and OIT concurred with this\n       recommendation.\n\n       Recommendation 2:\n\n       The Office of Administrative Services should add Office of Information\n       Technology-defined security requirements to applicable contracts stating\n       that contractors handling electronic personally identifiable information (PII)\n       data may be required to meet defined security requirements when\n       transmitting PII data across public networks (i.e., Internet) or stored on\n       portable media. The Office of Information Technology should also add\n       language to applicable interconnectivity agreements stating that partners\n       transmitting electronic PII data across public networks (i.e., Internet) are\n       required to meet the Office of Information Technology-defined security\n       requirements.\n\n       Management Comments. OAS and OIT concurred with this\n       recommendation. See Appendix IV for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OAS and OIT concurred with this\n       recommendation.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy     July 18, 2011\nReport No. 496\n                                          Page 4\n\x0c                                                                       Appendix I\n\n\n                           Abbreviations/Acronyms\n\n        FY               fiscal year\n        OIG              Office of Inspector General\n        OMB              Office of Management and Budget\n        OIT              Office of Information Technology\n        PII              personally identifiable information\n        SEC or\n        Commission       U.S. Securities and Exchange Commission\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                          Page 5\n\x0c                                                                       Appendix II\n\n\n                        Scope and Methodology\n\nScope. Initially the scope of this review was to review the handling of PII by\nthird-party vendors during the disgorgement process. This review was initiated\nbecause of concerns raised in an anonymous call to the Ethics and Compliance\nEmployee Hotline about mishandling of PII by third-party vendors during the\ndisgorgement process. Following a review of the disgorgement process and\ninterviews with SEC Enforcement Division staff, C5i learned that the SEC is not a\nparty to contracts with third-party vendors appointed by courts to process\ndisgorgements and therefore has no liability related to PII in such cases.\nTherefore, the scope of work was modified and limited to a review of the\ndisgorgement process and a sample of SEC contracts to determine whether they\nincluded language that bound vendors to comply with the Privacy Act.\n\nMethodology. C5i reviewed a judgmental sample of 11 contracts to determine\nwhether they included appropriate language related to the Privacy Act; the\nresults of a Privacy Office review of contracts to determine whether they included\nprovisions required by the Privacy Act, including provision for the protection of\nPII; and documentation provided by the Enforcement Division detailing\ndisgorgement processes and procedures. We relied on information requested\nfrom and supplied by the Enforcement Division and on interviews with\nEnforcement Division staff to understand the division\xe2\x80\x99s policies, methods of\noperation, and procedures with respect to disgorgements. C5i also interviewed\nstaff in the Office of Administrative Services and the Privacy Office concerning\ncontracting procedures and which Privacy Act provisions were required to be\nincluded in contracts.\n\nUse of Computer-Processed Data. C5i used data provided in an Excel\nspreadsheet by the Enforcement Division that showed disgorgements processed\nin FYs 2009 and 2010.\n\nRecent OIG Reports Addressing Privacy-Related Issues. The following OIG\nreports also address privacy-related issues:\n\n   \xe2\x80\xa2   OIG Report No. 489, 2010 Annual FISMA Executive Summary Report,\n       issued on March 3, 2011, which contained eight recommendation to\n       strengthen the Commission\xe2\x80\x99s security posture.\n\n   \xe2\x80\xa2   OIG Report No. 485, Assessment of the SEC\xe2\x80\x99s Privacy Program, issued\n       on September 29, 2010, which contained 20 recommendations to\n       strengthen and improve the Commission\xe2\x80\x99s security posture for protecting\n       PII.\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                          Page 6\n\x0c                                                                       Appendix II\n\n\n   \xe2\x80\xa2   OIG Report No. 476, Evaluation of the SEC Encryption Program, issued\n       on March 26, 2010, which contained three recommendations to strengthen\n       information technology management controls for safeguarding the\n       Commission\xe2\x80\x99s information.\n\n   \xe2\x80\xa2   OIG Report No. 475, Evaluation of the SEC Privacy Program, issued on\n       March 26, 2010, which contained one recommendation to manage and\n       operate the privacy program with appropriate internal controls, privacy\n       controls, and oversight.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                          Page 7\n\x0c                                                                       Appendix III\n\n\n                                       Criteria\n\nPrivacy Act of 1974, subsection (m)(1). Statutory provision requiring that when\nan agency contracts for the operation of a system of records to accomplish an\nagency function, the agency must include in the terms of the contract provisions\nmaking the contractor responsible for complying with the Privacy Act.\n\nSEC Administrative Regulation 24-08, April 14, 2010. Internal policy\ndocument that establishes agencywide policy for the Commission\xe2\x80\x99s privacy\nprogram, including protection of PII collected by the SEC. It applies to all SEC\nemployees, contractors, interns, and other working on behalf of the SEC who\nhandle, control, or access information or systems that contain PII or records\nsubject to the Privacy Act.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy    July 18, 2011\nReport No. 496\n                                          Page 8\n\x0c                                                                                                  Appendix IV\n\n\n                            Management\xe2\x80\x99s Comments\n\n\n\n\n                                           MEMORANDUM\n\n                                                                                 July 15.20 10\n\nTo:        H. David Kotz\n           Inspector Ge neraJ\n           Office of Inspector General                           ~\n\nFrom:      JayneL. Seidman         ~ ~\n           Acting Associate Ch iefO~~tir4 Officer\n           Office of Administrative Services\n\nS Ubject: OAS Response 10 DIG Draft Audit Review o/SEC Contracts for Inclusion of/..onzuaze\n          Addressing Privacy A ct Requireml!nts, Report No. 496\n\n\n\nThank you for the opportuni ty to review and comment.\n\nRecommenda tion 1:\n71Il! Office ofAdministrative ServIces (OAS) shoJJd add languoge prt:)"tdl!d by thl! Office of\nInformation Technology to new service contracts lhot requirl! the handling of PII data slating lhat\nthe u.s.Securttll!S and Exchange Commi.Jsion requires the contractor to provIde copies ofthe\ncontractor\'s privacy policies and privacy impact O$#ssments.\n\nOAS concurs. OA will include in new service contracts the language provided by the Office of\nInfoonation Technology.\nRecommend a tion 1:\nThti Office ofAdministrative Services should add Office of Information Technology-deflned security\nreqllireWU!nts to applicable contacts stating thai COlllraclors hamlling electronic personally\nidentifiable Information (PIl) data may be required to WU!et defined seCUl"ity requireWU!nl$ when\ntransm itting PII dala across public netwQrb ( i.e. Internet) or stored on portable media. The O.ffice of\nIlfformolion Technology should add langtKlge 10 applicable interconnecli"ityagreemenl$ (JAA)\nstating thot portners tralUmitting electroniC PII data across publtc networb (i.e. Internet) are\nrequired to WU!etlhe Office of biformation Technology-defined security requiremenJs.\n\nOAS con curs. OA will include the security requireme nts defined by the Office o fInfo nnation\nTechnQlogy in applicable contracts.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy                                  July 18, 2011\nReport No. 496\n                                                     Page 9\n\x0c                                                                                           Appendix IV\n\n\n\n\n                                        MEMORANDUM\n\n                                                                           July 14,2011\nTO:            H. David Kotz, inspector General\n               Office of inspector General (OIG)\n\n               Jacqueline Wilso~ Assistant Inspector General for AUdi~ts\n               Office of Inspector General\n\nFROM:          Thomas A. Bayer. Chief Infonnation Officer      /.11_,A.U\n               Office of Infonnation Technology (OlT)     /     I~,..--\nSUBJECT:       OlT\'s Response to the OIG Draft Report No. 496, Review ofSEC Contracts for\n               Inclusion ofLanguage Addressing Privacy Act Requirements\n\nThis memorandum is in response to the Office of Inspector General Draft Report No. 496,\nReview ofSEC Contracts for Inclusion ofLanguage Addressing Privacy Act Requirements.\nThank you for the opportunity to review and respond to this report.\n\nRecommendgrfen 1\nThe Office ofAdministrative Services (OAS) should add language provided by the Office of\nInformation Technology to new service contracts that require the handling ofPll data stating\nthat the U.S. Securities and ExcluJnge Commission requires .the contractor to provide copies 0/\nthe contractor\'s privacy policies and privacy impact assessments.\n\norr concws with this recommendation and will provide to OAS language regarding privacy\npolicies and privacy impact assessments for inclusion in new service contracts that require the\nhandling of PIT data.\n\nRecommendation 2\nThe Office ofAdministrative Services should iuJd Office ofInformation Technology-defined\nsf!CUrity requirements to applicable contacts stating that contractors handling electronic\npersonally identifiable information (PII) data may be required to meet defined security\nrequirements when transmitting PII data across public networks (i.e. Internet) or stored on\nportable media. The Office of Information Technology should add language to applicable\ninterconnectivity agreements (IAA) stating that partners transmitting electronic PII data across\npublic networks (i.e. Internet) are required to meet the Office ufInfurmation Technology-deflned\nsecurity requirements.\n\norr concurs with this recommendation and will provide to OAS language regarding specific\nsecurity requirements for inclusion in applicable contracts. In addition, OIT will add language\nregarding specific security requirements to its IAA related to transmitting electronic PIT.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy                          July 18, 2011\nReport No. 496\n                                                Page 10\n\x0c                                                                       Appendix V\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OAS and OIT have concurred with the report\xe2\x80\x99s two\nrecommendations. We are also encouraged that OAS and OIT have indicated\nthat they will work together to implement the recommendations and that they\nhave already taken steps to implement the recommendations. We believe that\nOAS and OIT\xe2\x80\x99s proposed actions are responsive to the report\xe2\x80\x99s findings and\nrecommendations.\n\nOnce both recommendations are fully implemented, we believe the SEC\xe2\x80\x99s\nsecurity posture will be strengthened, and contractors wanting to conduct\nbusiness with the agency will be fully aware of the SEC\xe2\x80\x99s expectations for\nadequately protecting Commission data.\n\n\n\n\nReview of SEC Contracts for Inclusion of Language Addressing Privacy   July 18, 2011\nReport No. 496\n                                         Page 11\n\x0c                    Audit Requests and Ideas\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTelephone: 202-551-6061\nFax:       202-772-9265\nE-mail:    oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at\n      the SEC, contact the Office of Inspector General at\n\n      Telephone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'